DISTORTION MAPS FOR GENUS TWO CURVES 



STEVEN D. GALBRAITH, JORDI PUJOLAS, CHRISTOPHE RITZENTHALER, 
AND BENJAMIN SMITH 



Abstract. Distortion maps are a useful tool for pairing based cryptography. 
Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 
is more complicated since the full torsion subgroup has rank 2g. In this paper 
we prove that distortion maps always exist for supersingular curves of genus 
g > 1 and we give several examples in genus 2. 
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1. Introduction 

Let q be a power of a prime p. Let C be a non-singular, geometrically irreducible, 
and projective curve defined over the finite field ¥ q . The Jacobian variety of C is 
denoted by Jac(C), and the g-power Frobenius map is denoted 7r. Throughout this 
paper, we identify J&c(C)(¥ q n.) with the degree zero divisor class group of C over 
W q n. Let r be a prime number dividing #Jac(C)(F g ) and coprime to p. We define 
the embedding degree to be the smallest positive integer k such that r divides q — 1. 
Note that ¥ q k is then the field generated over ¥ q by adjoining the r th roots of unity. 
If A is an abelian variety, then End^ (A) denotes the ring of endomorphisms of A 
defined over a field K, and End(v4) the ring of endomorphisms of A defined over an 
algebraic closure of K. Unless specified otherwise, all morphisms are defined over 
the algebraic closure of the field. 

An elliptic curve E over ¥ q is called supersingular if the number of points on 
E over ¥ q is congruent to 1 modulo p. If E is a supersingular elliptic curve, then 
End(i?) is an order in a quaternion algebra. More generally, an abelian variety 
A of dimension g over ¥ q is called supersingular if A is isogenous over ¥ q to a 
product E 9 , where E is a supersingular elliptic curve. In this case, it follows that 
End (A) = End(A) ® z Q is a Q-algebra of dimension (2g) 2 as a Q-vector space. 
Finally, a curve C is called supersingular if Jac(C) is a supersingular abelian variety. 

Let r > 2 be a prime dividing q — 1, and coprime to q. The Tate pairing (see 
Frey and Ruck [FR94]) is a non-degenerate bilinear pairing of the r-torsion in the 
divisor class group of C over ¥ q k with a certain quotient group of the divisor class 
group over ¥ q k. Using standard methods (see [BSS05, GalOl]), we can obtain from 
the Tate pairing a bilinear pairing (often called the reduced Tate pairing) e r (-, ■) 
from Jac(C)(F ? fc)[r] to the group fi r of r th roots of unity in F* fc . 

When C is supersingular and r||#Jac(C)(F 9 ), then Jac(C)[r] is often contained 
in Jac(C)(F g fc) (see [SX95]). In this case, the Weil pairing is also a non-degenerate 
bilinear pairing on Jac(C)(F ? fc)[r]. If the embedding degree k is small, then either 
the Weil or Tate pairing may be useful for implementing pairing-based cryptosys- 
tems (see [Gag03, Pat02, Pat05] for a survey). We use the notation e r (-, •) to denote 
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any bilinear, nondegenerate, Galois-invariant pairing on Jac(C)[r] (such as the Weil 
or reduced Tate pairings). 

When Jac(C) is supersingular, the embedding degree k is known to be bounded 
above by a constant k(g) depending only on the genus g of C (see [GalOl, RS02]). In 
cryptographic applications, one tends to be interested in cases where the embedding 
degree is greater than 1, but not "too large". 

Bilinearity is an important property of pairings in cryptography: for all integers a 
and b and elements D\ and D 2 of Jac(C)[r], we have e r (aDi,bD 2 ) = e r {Di 1 D 2 ) ab . 
For bilinearity to be useful, however, it is necessary that e r (Di,D 2 ) ^ 1. It is 
known that the Weil and Tate pairings are non-degenerate: that is, for each non- 
zero divisor class D\ of order r, there is a divisor class D 2 such that e r {D\, D 2 ) ^ 1. 
A problem arises when one wants to pair two specific divisors D\ and D 2 such that 
e r (Di,D 2 ) = 1 — this can happen, for example, when for efficiency reasons both 
divisors are defined over ¥ q , and k > 1. In these cases, we need distortion maps. 

Definition. A distortion map for a non-degenerate pairing e r and non-zero divisor 
classes D\, D 2 of prime order r on C is an endomorphism ip of Jac(C) such that 
e r (£>i,V(£> 2 )) ^ 1. 

Distortion maps were introduced by Vcrhcul [VcrOl] for elliptic curves in the case 
where D\ and D 2 arc defined over the ground field. We stress that our definition 
depends on the choice of divisor classes (and also the pairing). In general, it is 
not true that there is a single choice of ip that is a distortion map for all pairs of 
non-zero divisor classes. 

The goal of this paper is to provide, for certain curves, a collection of efficiently 
computable endomorphisms such that there is a suitable distortion map in the 
collection for any pair of divisor classes on the curves. Note that the Frobenius 
or trace maps may be used as distortion maps in many situations, including the 
case of ordinary curves; but distortion maps for every pair can only be obtained for 
supersingular curves. 

The case where C is an elliptic curve is quite simple. If D\ and D 2 are nonzero 
divisor classes and e r (D\, D 2 ) = 1, then any divisor D 3 of order r which is indepen- 
dent of D 2 (that is, (D 2 ) n (D 3 ) = {0}) satisfies e r {D u D z ) ^ 1. This follows from 
the non-degeneracy of the pairing, and the fact that the r-torsion of an elliptic curve 
has rank 2. For this reason, and others, the problem of finding distortion maps for 
elliptic curves is relatively easy to handle. An algorithm to find distortion maps for 
any supersingular elliptic curve has been given by Galbraith and Rotger [GR04]. 1 

For curves C of genus g > 1, the r-torsion of the Jacobian has rank 2g; so 
independence of divisors is not sufficient to imply non-triviality of their pairing. 
Indeed, elementary linear algebra implies that for every non-trivial divisor D of 
order r, there exists a basis for Jac(C)[r] such that D pairs trivially with all but 
one of the basis elements. Furthermore, elements of End(Jac(C)) may be difficult 
to handle, as they generally do not correspond to maps from C to itself. 

In this paper, we discuss this situation, with particular emphasis on curves of 
genus 2. In Section 2, we prove that distortion maps always exist for supersingular 
abelian varieties. The rest of the paper is concerned with the question of whether 
such maps can be easily computed on Jacobians of curves. In Section 3, we provide 



Note that there is a missing condition in Lemma 5.1 of [GR04], namely that ip(P) ^ 0. Since 
the degree of ip in [GR04] is d, which is much smaller than r, this condition is always satisfied. 
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a list of examples of supersingular curves with suitable embedding degree. These 
examples are explored in depth in the subsequent sections. The results of Section 4, 
first presented in [GP05], concern the case k = 4 where p = 2,3 (mod 5). After 
illustrating our approach on this simple case, we generalize the method to other 
curves in Section 5. Section 6 deals with the case k — 5 when p = 5, and Section 7 
deals with the case k = 6 when p = 2 (mod 3) (and p ^ 2). Finally, Section 8 treats 
the case k = 12 and p — 2. We provide non-trivial, efficient, explicit distortion maps 
for each curve. 

Note that there is an important distinction between the cases k = 4, 12 and 
k = 5,6. For the former cases, our result are conditional, since they depend on the 
assumption (verified in practice) that some denominators can be canceled, which 
is the case if they are prime to r. In these cases, there seems to be no easy 
explicit decomposition of Jac(C): even when we know that the Jacobian splits into 
a product E x E, the degree of the induced morphisms from C to E is unknown. 
However, the curves we consider in the cases k — 5 and k = 6 are both twists of 
y 2 = .t 6 + 1, which has two degree-2 maps to an elliptic curve E (see Section 7 
for details). This structure is used in a crucial way to remove the assumption on 
the denominators for the case k = 6 (for the case k = 5 another argument is used, 
which is restricted to the case where e r is the Tate pairing — but the same proof 
could be adapted). 

2. The existence of distortion maps 

Schoof and Verheul [Ver04] have shown that distortion maps always exist for 
supersingular elliptic curves over ¥ q . In this section, we generalise their result to 
supersingular abelian varieties. 

First, we recall an important theorem of Tate [Tat66]. Suppose A is an abelian 
variety over a finite field K of characteristic p, and let G = Gal(K/K). Let I be 
a prime not equal to p, and let Ti(A) := lim^4[/ rl ] be the /-Tate module of A. Let 
EndG(Ti(A)) denote the ring of endomorphisms of T[(A) which commute with the 
action of G. Tate's theorem states that the canonical injection 

End K (A) <g> z Z ; — » End G (T i (A)) 

is an isomorphism. 

Theorem 2.1. Let A be a supersingular abelian variety of dimension g over ¥ q , 
and let r be a prime not equal to the characteristic of¥ q . For every two non-trivial 
elements Di and D 2 of A(¥ q )[r], there exists an endomorphism (f> of A such that 
er(D u <f,(D 2 ))^l. 

Proof. Let d be an integer such that the g d -power Frobenius map acts as an integer 
multiplication on A. Let K = ¥ q d and G = G&\{K/K). Since A is supersingular, 
End(A)(g)zZ r is a free Z r -module of rank (2g) 2 . By definition, Endjf(A) is contained 
in End (A), so we may view End^(A) ®z as a submodule of End(A) (g>z Z r . By 
Tate's theorem, Endx(A) ®jZ r is isomorphic to the Z r -module Endc(r r (A)) of 
endomorphisms which commute with the g^-power Frobenius — but the q d -powei 
Frobenius is an integer, so it commutes with every endomorphism of A (and T r (A)). 
Thus End G (T r (A)) = End(T r (A)). Since T r (A) = l? r * as a Z r -module, we have 

End K (A) (g) Z Z r S End G (T r (A)) S M 2g (Z r ). 
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Hence End_ff(A) = End(^4) also has rank (2g) 2 . By restriction, we have 

End K (A) ® z Z/rZ S M 2g (Z/rZ). 

Let D 3 be an element of A[r] such that e r (Di,D 3 ) ^ 1 (in fact, D 3 is ir- 
rational). There exists some matrix $ in M 2g (fZjrZ) corresponding to a mapping 
of the subspace (D 2 ) to (D3). Let ^ be a preimage in End(A) of $: by construction, 
er (D 1)( A(L> 2 ))^l. □ 

The proof of Theorem 2.1 shows that to have a distortion map for every pair 
of divisors, we must have a full rank-(2g) 2 module of endomorphisms. In other 
words, if the rank of End(Jac(C)) is strictly less than (2g) 2 , then there will exist 
non-zero elements Di and D 2 of Jac(C)[r] such that e r (Di, i/K^)) = 1 for every 
cndomorphism ip of Jac(C). In particular, if C is not supcrsingular, then there are 
pairs (Di,D2) for which no distortion maps exist. 

Remark. It is important to note that Theorem 2.1 is not constructive. 

3. Embedding degrees of supersingular genus 2 curves 

In this section we list some supersingular genus 2 curves which are of potential 
interest for applications. First, we recall the results of Rubin and Silverberg [RS02] 
classifying the possible embedding degrees for supersingular abelian varieties of 
dimension 2. We focus on the case where q is an odd power of p: this gives the 
largest values for k, and so is usually the most interesting case in practice. 

Theorem 3.1 (Rubin-Silverberg [RS02]). Let q be an odd power of a prime p. The 
precise set of possible embedding degrees for simple supersingular abelian surfaces 
over ¥ q is given in the following table. 



p 


Possible embedding degrees k 


2 


{1,3,6,12} 


3 


{1,3,4} 


5 


{1,3,4,5,6} 


> 7 


{1,3,4,6} 



We note that other embedding degrees, such as k = 2, may be realised using non- 
simple abelian surfaces. Since large embeddings degrees are of the most interest, 
we focus on the cases where k is 4, 5, 6 and 12. 

k = 4: The CM curve y 2 = x 5 + A over F p where p > 2 and p = 2, 3 (mod 5) 
is supcrsingular, and has embedding degree 4. More generally, reductions of 
the CM curves listed by van Wamelen [vWam99] have embedding degree 4. 
These curves are discussed in Sections 4 and 5. 

k = 5: The curves y 2 = x — x ± 1 where p = 5, described by Duursma and 
Sakurai [DSOO], are supersingular and have embedding degree 5. We discuss 
these curves in Section 6. 

k = 6: An abelian variety over ¥ q has embedding degree 6 if its characteristic 
polynomial of Frobenius is of the form T 4 — qT 2 + q 2 . A result of Howe, 
Maisner, Nart and Ritzenthaler [HMNR06, Theorem 1] implies that such 
abelian varieties have a principal polarisation if and only if p ^ 1 (mod 3). 
Hence, Jacobians of curves of genus 2 can have embedding degree 6 only 
when p ^ 1 (mod 3). In Section 7, we give an algorithm to construct 
supersingular curves with embedding degree 6 when p = 2 (mod 3) and 
P > 5, by taking suitable twists of the curve y 2 = x 6 + 1. 
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k = 12: The curves y 2 + y = x 5 + x 3 + b over F2™ where b = 0, 1 are supersin- 
gular, with embedding degree 12. We consider these curves in Section 8. 

4. Curves with embedding degree 4: CM induced by an automorphism 

In this section, we work with q = p such that p > 2 and p = 2,3 (mod 5). 
Consider the curve C defined over Q by 

C: y 2 = x 5 + l. 

The curve C has an automorphism ps of order 5 defined by 

P5 ■ (x,y) 1 — ► {( 5 x,y), 

where £5 is a primitive fifth root of unity over Q. The automorphism p 5 induces an 
endomorphism of Jac(C*), which we also denote p^. The minimal polynomial of p 5 
is the same as that of (5, so End°(Jac((7)) contains the CM-field Q(Cs)- 

Reducing C modulo p, we obtain a curve C defined over ¥ p . Since p ^ 1 
(mod 5), the endomorphism /05 reduces to a non-trivial endomorphism of Jac(C), 
also denoted p§. This endomorphism was first used as a distortion map by Choic 
and Lee [CL04]. 

Remark. If p = 1 (mod 5), then Jac(C) is ordinary. If p = 4 (mod 5), then Jac(C) 
is supersingular but not simple. This explains our restriction to p = 2, 3 (mod 5). 

Lemma 4.1. The Jacobian Jac(C) is ¥ p -simple, supersingular, and has embedding 
degree 4. 

Proof. Observe that 5 does not divide p — 1 , so for each value of y in F p there is 
a unique value x = (y 2 — l) 1 / 5 yielding a point (x,y) in C(¥ p ). Since C has a 
single point at infinity, we have #C(F p ) = p + 1. Similarly, since 5 does not divide 
p 2 - 1, we obtain #C(F p2 ) = p 2 + 1. It follows that #Jac(C)(F p ) = p 2 + 1, and 
that the characteristic polynomial of the p-power Frobcnius endomorphism tt on 
Jac(C) is P(T) = T 4 +p 2 . This polynomial is irreducible over Z, so Jac(C) is 
simple (but not absolutely simple). We may also deduce from the form of P(T) 
that C is supersingular (see [SX95, GalOl]). 

It remains to compute the embedding degree. If r is an odd prime dividing 
#Jac(C)(Fj,), then r divides p 2 + 1; hence r divides p 4 — 1, and does not divide 
p % — 1 for any i less than 4. We conclude that Jac(C) has embedding degree 4. □ 

Our goal is to show that for any pair of divisor classes on C, there is a suitable 
distortion map of the form 7r*p| for some i and j. The first step towards establishing 
this result is to show that the Q-algebra End°(Jac(C)) is generated as a Q-module 
by maps of the form 7r l pg. 

Consider the non-commutative subring Z[ps, tt] of End(Jac(C)) generated by p$ 
and tt. We let Q[ps, tt] denote the non-commutative Q-algebra 7r] £g>z Q- Since 
Z[p5,7r] is a finitely generated Z-module, Q[p5,7r] is a finite dimensional Q- vector 
space. Note that since the characteristic polynomial of tt has nonzero constant 
term, there exists an element n^ 1 of Q[ps, n] such that n~ 1 n = tttt^ 1 = 1. 

Lemma 4.2. Let tt and p§ be as above. Then 7r J p^n^i — p'f ' for all j > 0. 

Proof. Clearly ^ p 5 (x, y) = (^ 3) x^\y^) = P P^(x, y). □ 
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Lemma 4.2 implies that the inner automorphism <f> i— ► n(f)7r 1 of Q[/95,7r] has 
order 4 and fixes Q(p5), and so corresponds to a generator cr of the cyclic group 
Gal(Q(p 5 )/Q). Let pf denote the map a j (p 5 ). Since Gal(Q(p 5 )/Q) is cyclic of 
order 4, the maps p%^ are distinct for < j < 3. 

Proposition 4.3. As a Q-vector space, Q[/05,7r] has a direct sum decomposition 

Q[p 5 , tt] = Q( P5 ) © 7rQ(p 5 ) 8 7r 2 Q(p 5 ) © ^ 3 Q(p 5 )- 

Proof. We will prove by induction that the sum * =0 7r*Q(p 5 ) is direct for each 
< t < 3. For t = there is nothing to prove. For the inductive step, assume 
= 0r =o tt'QO^) is dircct for < n < 2; we will show that U n r\n n+1 Q(p 5 ) = {0}. 
Suppose the contrary: then there is a non-zero z in Q(ps) such that n n+1 z is in /7 n . 
Dividing by z, we can write 7r" +1 = z + 7rzi + • • • + 7r"z„, with coefficients in 
Q(p5) for < j < n, and with at least one of the Zi not zero. Let c be a generator 
of Gal(Q(p5)/Q) satisfying pi = p^. Lemma 4.2 implies pf it = irpl 3 , and thus 
p% {n+1 \ n+1 = TT n+1 p 5 . Hence 

= pf + V +1 - 7T n+1 p 5 

= pf + 1 (zq + 7TZ\ H h 7T™Z n ) - (Z 0/ 5 + H h TT n Z n p 5 ) 

= z pf™ + + nzipf H h n n z n pl - z p 5 - irz 1 p 5 TT n z n p 5 

= z o(pf +1 - Pb) + nzi{pf - p 5 ) + ■ ■ ■ + n n z n {pl - p 5 ). 

But U n is a direct sum, and p%^ ^ p$ for 1 < j < 3; hence zq = z\ = ■ ■ ■ = z t = 0, 
which is a contradiction. □ 

Corollary 4.4. We have 

End°(Jac(C)) - Q[p 5 , tt] = J ]T A ij7 rV 5 : A i;j e Q \ . 

[o<ij<3 J 

Proof. We know Q(/9s) is a 4-dimensional Q-vector space, so by Proposition 4.3 
Q[/?5, tt] is a 16-dimensional Q-vector subspace of End°(Jac(C)). But End°(Jac(C)) 
is itself 16-dimensional, so Q[p5,7r] = End°(Jac(C)). The second equality then 
follows on noting that {1, p$, p\, p\} is a Q-basis for Q(p5). □ 

Theorem 2.1 implies the existence of a distortion map (p for every pair (D\, D2) 
of non-trivial points of order r on Jac(C): that is, an endomorphism (f> such that 
e r (Di, ^(Z? 2 )) 7^ 1. Now End(Jac(C)) is an order in Q[p5,7r] containing Z[p 5 ,7r], 
so by Corollary 4.4 there exist rational numbers \j such that <fi — "Yin j K.j^pi in 
Q[p5, tt}. Let m denote the least common multiple of the denominators of the Xij; 
note that the endomorphism m<p is an element of Z[/} 5 , n]. 

Assumption 1. We assume that (j) may be chosen such that gcd(m, r) = 1, where 
<fi, m and r are defined as above. 

Remark. Assumption 1 holds if Z[/?5,7r] is "most" of End(Jac(C)), and seems to 
hold in practical examples. However, we have not proven that it is always satisfied 
for the curves under consideration. It is instructive to consider Assumption 1 in 
the case where Jac(C) is a supersingular elliptic curve E. In this case, End(.E') is 
a maximal order O in a quaternion algebra B — Q[7r,i/>] where 7r is the q-power 
Frobenius and ip is some other endomorphism. Note that ctOoT 1 is a maximal 
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order in B for every a in B; so maximal orders in B can be very far from Z[7r, ip]. 
Thus Assumption 1 may not be true in general. However, following the arguments 
of [GR04], we may suppose that E has been constructed by the CM method, in 
which case ip 2 = — d for some relatively small positive integer d. Hence Z[tt, ip] is 
contained in O, and Assumption 1 holds when r is larger than d. 

Theorem 4.5. If Assumption 1 holds, then for all pairs (Di,D 2 ) of non-zero 
divisor classes on C of order r and all non- degenerate pairings e r there exists a 
distortion map of the form n l p J 5 with < i, j < 3. 

Proof. Theorem 2.1 shows that there exists an endomorphism (f> that is a suitable 
distortion map for (Di,D 2 ); Corollary 4.4 shows that (j) is in Q[ps,7r]. Under 
Assumption 1, we may take an integer m prime to r such that mcj) is in Z[p 5 , tt] and 

e r {D u mcj>{D 2 )) = e r (£» 1; <P{D 2 )) m ^ 1; 

so m4> is also a distortion map for (Di, D 2 ). Since m(j) is an integer combination of 
the 77^5, we must have e r (Di, -K l p° 5 {D 2 )) ^ 1 for some < i, j < 3 (otherwise, if all 
e r (Di,TT l p' 5 (D 2 )) = 1, then e r (Di, mcf)(D 2 )) = 1 by the linearity of the pairing) . □ 

Remark. Alternatively, one could use maps of the form p\-K^ in Theorem 4.5. 

Example. Let D\ be a nonzero element of Jac(C)[r] defined over F p ; note that 
n(Di) — D\. It is easy to show that, under Assumption 1, e r {D\, p 3 b {Di)) ^ 1 
for some 1 < j < 3. This supports the suggestion in [CL04] of using p 5 as a 
distortion map. When implementing pairings, it is desirable to utilise denominator 
elimination to improve efficiency; to this end, the map p J 5 might be combined with 
a trace operation (see Scott [Sco04] for an example of this in the elliptic case). 

Remark. The results in this section easily generalise to the twists y 2 — x 5 + A of 
C (for nonzero ^4), and even more generally to the curves y 2 = x 2n+1 + A over F p , 
where In + 1 is prime and p is a primitive root modulo 2n + I. 

5. Curves with embedding degree 4: Other CM curves 

In [vWam99] and [vWam99b], van Wamelen describes the 19 isomorphism classes 
of curves of genus 2 over Q whose Jacobians have CM by the ring of integers of 
a CM-ficld. For each isomorphism class, van Wamelen provides a representative 
curve Ci defined over Q, the CM-ficld Fi := End°(Jac(Ci), and an explicit partial 
description of an endomorphism on of Jac(Ci) such that Fi — Q(a^), giving the 
(x-coordinates of) the image under oti of the image of a generic point (x, y) of Ci 
in Jac(Ci). One can derive a full description of the endomorphism cti from this 
information (see Pujolas [Puj06] for details). 

The curve C of Section 4 is a representative of the isomorphism class correspond- 
ing to the CM-ficld Q(Cs) in van Wamelen's tables. In this section, we generalize 
our treatment of C to the other CM curves Ci . Reducing each Ci modulo suitable 
inert primes p, we obtain curves Ci over Fp whose Jacobians are simple, super- 
singular, and whose characteristic polynomial of Frobenius is equal to T A + p 2 . 
These Jacobians therefore have a very similar endomorphism structure to that of 
the Jacobian in Section 4. 

Let cti be an endomorphism of Jac(Ci) such that End°(Jac(Ci)) = Q(5i); the 
endomorphism supplied by van Wamelen suffices. Note that on is defined over 
the quartic field F i7 which has cyclic Galois group over Q for all of the curves 
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in [vWam99]. Let cti denote the image of on in End(Jac(Ci)). Since p is inert in 
the cyclic quartic field Fi, it follows that on is defined over F p 4. 
If 7r is the p-power Frobenius map then, as before, we have 

-i (p) 
■noun = a\ ' 

where denotes the map obtained from cti by applying the p-power Frobenius to 
the coefficients of a*. It follows that the inner automorphism </> i— > irtfrn^ 1 generates 
Gal(Q(ai)/Q). We may therefore prove an analogue of Proposition 4.3 for each 
curve Cj. 

Proposition 5.1. The non- commutative Q-algebra Q[cti, ir] generated by cti and it 
is a 16 -dimensional Q-vector space, and (as Q-vector spaces) 

Q[a u tt] = Q(a 4 ) ® 7rQ(a 4 ) ® n 2 Q(cn) ® 7r 3 Q(a,). 

As a result, under the appropriate analogue of Assumption 1, we may choose 
a distortion map of the form 7r u a" with < u, v < 3 for any pair of elements of 
Jac(C,)[r]. The van Wamelen curves are therefore suitable for cryptography in the 
sense that one can easily find a distortion map for every pair of divisors. 

Remark. In practice, evaluating the maps on of [vWam99b] is relatively compli- 
cated, making the distortion maps of the curves in this section relatively inefficient 
compared with those of the CM curve y 2 — x 5 + 1 described in Section 4. 

Remark. One could also construct curves with distortion maps by reducing CM 
curves defined over number fields other than Q. 

6. Curves with embedding degree 5 

The curves C : y 2 — x p — x + b over F p with b = ±1 have been studied by 
Duursma and Sakurai [DSOO], and efficient pairing computation on these curves 
was studied by Duursma and Lee [DL03]. Our interest is in the genus 2 case, so in 
this section we consider the curves 

C : y 2 = x 5 - x + b 

over Fq, where q — 5 m for some m coprime to 10, and b = ±1. The distortion map 
proposed by Duursma and Lee [DL03] is 

ip{x,y) = {p-x,2y), 

where p is an element of F 5 5 such that p 5 — p + 2b = 0. 

The characteristic polynomial of the (g-power) Frobenius for these curves is 

p±(rpj _ rpi _|_ z ) (m+l)/2rp3 _|_ 3 _ cmrp2 _j_ g(3m+l)/2jn _|_ g2m 

Observe that 

P+{T)P m {T) =T 8 + qT e + q 2 T 4 + q 3 T 2 + q\ 

and hence that (T 2 -q)P+(T)P m (T) = T w -q b . Let N := #Jac(C)(Fq). Since N is 
equal to either P„(l) or P~(l), it follows that N divides q 5 — 1; hence the embedding 
degree is k — 5 for large prime-order subgroups of Jac(C)(F g ). Note that the 
characteristic polynomial of the g 5 -power Frobenius is (T 2 — 5 5 " 1 ) 2 , and that the full 
N-torsion is defined over Fqio but not over F g 5. Since Jac(C)(Fq fc )[A] ^ (Z/NZ) 2 , 
this case is as easily handled as the elliptic curve case in Section 1. 
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Lemma 6.1. If D\ and D2 are non-zero points of prime order r in Jac(C)(F g ) 7 
then ip is a suitable distortion map with respect to the Tate pairing. 

Proof. As in the elliptic curve case, the pairing of D\ with D 2 is defined over ¥ q , 
and is therefore trivial. On the other hand, ip{D?) is a non-zero r-torsion divisor 
which is not defined over W q . Thus {D\, V>(D 2 )} is a basis for Jac(C)(¥ q k)[r], and 
by non-degeneracy of the Tate pairing we have e r (Di,ip(D2)) 7^ 1. □ 

Remark. Note that Lemma 6.1 is only stated for the Tate pairing. This is because 
while the Tate pairing is known to be non-degenerate for points defined over the 
field ¥ q (fi r ) = F ? 5, we are only guaranteed that the Weil pairing is non-degenerate 
when working over F 9 (Jac(C)[r]) = F q io. 

If C is a curve defined over ¥ qi then for any integer n there is a natural homo- 
morphism Tr : Jac(C)(F£) -> Jac(C)(F g ) defined by 

n-l 

Tr(D) :=^>W 

i=0 

This map is called the trace (of Frobenius); its kernel is called the trace-zero subgroup 
of Jac(C)(F,). 

Lemma 6.2. If D is a point in Jac(C)(F 9 ) ; then ip(D) lies in the trace-zero sub- 
group of Jac(C)(F g s). 

Proof. We first prove the result for divisors of the form D = (P) — (00) where P 
is a point in C(¥ q ). Observe that the y-coordinate of ip{P) is in ¥ q . Hence the 
y-coordinates of 7T 7 (ip(P)) for < j < 4 are all equal, say to some yo, while the 
x-coordinates are all distinct. The function (y — yo) on C therefore has divisor 
equal to (ip(P)) + (tt(V>(P))) + • • • + (tt 4 (V>(.P))) - 5(oo), which is the trace of 
(ip(P)) — (00) = -0(D). Hence, the trace of tp(D) is zero. 

The same argument applies to divisors of the form (Pi) + (P2) — 2(oo) where 
Pi and P 2 are in C(¥ q ). A similar argument applies when Pi and Pi are Galois 
conjugates in C(¥ q 2 ): the y-coordinates of the n^(tp(Pi)) take either the same value 
10 times, or two different values 5 times each. □ 

Using Lemmas 6.1 and 6.2, it immediately follows (as in [Ver04, GR04]) that 
and combinations of tt j are sufficient as distortion maps for all pairs of points of 
order r in Jac(C)(F q 5 ). On the other hand, since ip 2 = —1, it is clear that Q[7r, V'] 
is a Q-algebra of dimension 8; so combinations of 7r and ip are not sufficient to act 
as distortion maps for all pairs of points in Jac(C)[r]. 

To obtain generators for the full endomorphism ring we use the fact that C is 
isomorphic over F55 to the curve C : Y 2 = X 5 — X (the isomorphism is r](x, y) = 
(x — a, y) where a £ F5 satisfies a 5 — a + b = 0). On C we have the automorphism 
<p'(X,Y) = (2X,/3Y) where (3 e F 5 2 satisfies 1 = 2. Defining = n^cjy'n gives 
the automorphism 

4>{x,y) = (2x - a,f3y) 

on C. Since <j> is not defined over F 5 s it follows that <j> does not lie in Q[tt, ip] and 
hence Q[ir, ip, (p] = End°(Jac(C)). It follows that if the Weil pairing is used then a 
distortion map of the form ir u ip v (p w with < u < 3,0 < v,w < 1 may be used. 
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Remark. Since the embedding degree is odd, the fact that the image of the dis- 
tortion map is a trace zero divisor does not mean that the usual denominator 
elimination techniques for pairing implementation may be used. However, the ate 
pairing approach (see [HSV, GHOTV]) may be used to obtain a very simple pair- 
ing algorithm, with no final exponentiation required. This does not imply that 
characteristic 5 curves are fast for pairing-based cryptography, since 5 is not a very 
natural base for computer implementation of finite field arithmetic. 

7. Curves with embedding degree 6 

Let p be an odd prime such that p = 2 (mod 3). Let £g be a primitive sixth root 
of unity over ¥ p , and set £3 := Q. 

We wish to construct a curve C /¥ p with embedding degree 6. The characteristic 
polynomial of Frobcnius on Jac(C') must therefore be T 4 — pT 2 + p 2 . Following 
[HNR06, p. 32], we obtain C by twisting the curve C : y 2 — x 6 + 1 with respect to 
its automorphism u : (x,y) 1— > (( 3 /x,y/x 3 ). To find a defining equation for C", we 
need to find an isomorphism (j) : C — > C defined over F p such that (jr- p ' o cj)^ 1 = u. 
We can assume <f) is of the form 

„x, n = ( „ ) = (f±i, I _L_), 

with ad — bc^ 0; the curve C will then have a defining equation 
C :Y 2 = {aX + bf + {cX + df. 

We need 4>^ = u 4> — that i s > 

f a p X + bP Y \ = f ( 3 cX + ( 3 d Y \ 

\ C PX + dP' (cPX + dP) 3 ) \ aX + b '{aX + b) 3 )' 

To find particular solutions for a, 6, c and d we begin by setting a = c p and b = d p . 

Now a p = C3C and b p = (3d, so we need values for c and d such that 

C P 2 -1 = d P 2 ~l = Cs . 
— 2 — 1 

Therefore, we choose some 7 in F p satisfying 7 P = C3, and set c = 7. One can 
show that 7 e F p 6. Note that (c/d) p _1 = 1, so c/d is an element of ¥ p 2. On the 
other hand, we know ad 7^ be, so c p d 7^ d p c: hence c/d is not an clement of F p . 
Therefore, setting d = (3c, we obtain a solution 

a = 7 P , b = C 3 _1 7 P J c = 7, and d = ( 3 j. 

We want to find suitable distortion maps for Jac(C'). We could proceed as 
in Section 4, and obtain a conditional result depending on the final assumption 
about the denominators. However, since C is isomorphic to C, we can consider the 
problem of finding distortion maps for Jac(C) instead: indeed, if A C End(Jac(C)) 
is a suitable set of distortion maps for Jac(C), then <f)~ 1 A(f) will be a suitable set 
of distortion maps for Jac(C"). This approach allows us to take advantage of the 
splitting behaviour of Jac(C), and thus to obtain an unconditional result. 

Let E be the elliptic curve defined over ¥ p by E : y 2 = x 3 + 1, and let n E denote 
the p-power Frobenius on E. The curve E has an automorphism p 3 defined over 
F p2 by (x,y) h-> (( 3 x,y). 

Lemma 7.1. With E, p 3 and n E as above, 
(1) E is super singular, 
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(2) the characteristic polynomial of tte is X 2 + p, and 

(3) Z[tte,P3] is an order of index 3 in End(P). 

Proof. One easily checks that tte ° P3 ^ P3 ° tte when p = 2 (mod 3), so End(-E) is 
non-commutative; it follows that E is supersingular. The characteristic polynomial 
of tte has the form T 2 —tT+p, where — 2^/p < t < 2 y /p; but since E is supersingular, 
p divides t [Sil86, Theorem V.3.1], and the only such t is 0. Hence the characteristic 
polynomial of Frobcnius is T 2 + p. Since E is supersingular, End(P) is isomorphic 
to a maximal order of the quaternion algebra ramified at p and oo; its discriminant 
is therefore p [Vig80, Corollary 5.3]. Explicit calculation shows that Z[tte, ps] is an 
order of discriminant 3p, and thus an order of index 3 in End(P). □ 

Let / : C — > E (rcsp. /' : C — ► E) be the morphism defined by f(x, y) = (x 2 ,y) 
(resp. f'(x,y) — (1/x 2 ,y/x 3 )). We define homomorphisms 

fi: Ex E — ► Jac(C) 

(P,Q).— >/*(P) + / , *(Q)-4P 00 

and 

fi : Jac(C) — > E x E 

P + Q-2P 00 ^ (MP) + MQ), fi(P) + fi(Q)) 

where Poo = (0,1,0) e C. 

Observe that jlop, = [2]exe and pofi = [2] j a c(c?) ' so A 4 an d l 1 are (2) 2)-isogenies. 
We can therefore define an injective (group) homomorphism 

T : End(Jac(C)) — ► End(P x E) 

tp I ► fb O if) O fj,. 

While T is not a ring homomorphism, one easily checks that 

T{ij>)TW) = 2T(#') 

for all endomorphisms ip and tp' of Jac(C). 

Let x an d ^6 be the automorphisms of C defined by 

X(x, y) = (l/x, y/x 3 ) and p 6 (x, y) = (( 6 x, y); 

we use the same notations for the induced endomorphisms of Jac(C). Note that 
7rc,X, pe all preserve Poo- Let ttq denote the p-power Frobenius on C, and let 
A = Z{irc,X, Pe] be the subring of End(Jac(C)) generated by nc, Xj and p%. We 
will compute an upper bound for the index ofT(A) in End(P x E) = M 2 (End(.E)). 
It suffices to compute the images of ttc, Xj an d Pe- 

Lemma 7.2. The images of ire, X> an d P6 i n End(P x E) are given by 

t ^ = 2 ( ? i ) • r <*> = 2 ( ; \ ) • -* r <«» - » ( * -° i ) • 

Proof. We show this for p 6 , the other computations being similar. We will abuse 
notations by dropping the PqoS since they remain unchanged in the computations. 
Consider a point (x 2 ,y) on E. We have f*(x 2 ,y) = (x,y) + (—x,y) in Jac(C), so 

Pe o f*(x 2 ,y) = (Cex,y) + (-( 6 x,y). 

Now 

/. o P6 o f*(x 2 , y) = ({( 6 x) 2 ,y) + ((-( 6 x) 2 ,y) 

= mx\y) 

= ([2}o P3 )(x 2 ,y) 
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whereas 

(/:°P6°.r)(^,y) = (i/(C6^ 2 ,y/(C6x) 3 ) + (i/(-c6x) 2 ,y/(-c6x) 3 ) 

= (l/(( 3 x),-y/x 3 ) + (l/(C 3 x),y/x3) 
= 0. 

In the same way , /'* (l/x 2 ,y/x 3 ) — (x, y) + (—x, —y), so 

(/: o P6 o /'*) (l/x\ y/x 3 ) = (l/{Csx)\y/(Cxf) + (l/(-( e x) 2 , -y/(-C 6 ^) 3 ) 

= (l/(C 3 x 2 ), -y/x 3 ) + (l/(C 3 x 2 ), -y/x*) 
= ([-2]opi)(l/x\y/x3) 

whereas (/* o p e o /'*) (l/x 2 ,y/x 3 ) =0. □ 

Using Lemma 7.2, we see that the images of 1 + p\, 1 — p\, \ + XP% an d X — XPl 
in End(_E x E) arc the "projectors" 

Composing with the images of 7rc and we get 

M 2 (4Z[^ E ,p 3 ]) C T(A) C (M 2 (End(£)). 

Since Z[n El p 3 ] has index 3 in End(E'), the index of T(A) in M 2 (End(£')) divides 
2 8 • 3 4 . Now, suppose r is a prime different from p, 2 and 3. Following the proof of 
Theorem 2.1, by tensoring with Z/rZ we get an isomorphism 

T r : End(Jac(C)) <g> Z/rZ Af 2 (End(£)) ® Z/rZ ~ M 4 (Z/rZ) 

and T r (A) is of index dividing 2 8 -3 4 in M 4 (Z/rZ). Thus, if Di and D 2 are non-zero 
elements of Jac(C)[r], we can find a map $ in M^{ r Ljr r C) such that e r (D\, &(D 2 )) ^ 
1. Then 2 8 • 3 4 $ = T r (V>) for some i/> in A, and 

e r (A,# 2 )) = e r (D u [2 8 • 3 4 ]$(i? 2 )) = e r {D u <S>(D 2 ) f^ ± 1. 
We have proven the following theorem. 

Theorem 7.3. Lef r be a prime different from 2, 3 and p. For all pairs D±, D 2 of 
non-zero elements of Jac(C")[r], i/iere exists a suitable distortion map in the ring 

Remark. Using the construction of [HLP00, p. 12] with the group-scheme isomor- 
phism n : E[2] — ► E[2] mapping (—1,0) to itself and (C6,0) to (l/( 6 ,0), we have 
Jac(C) ~ (E x i?)/Graph(7y). Moreover, if A is the canonical polarization on Jac(C) 
and Xexe the split polarization on E x E, then Xexe = fi(2X)p,. Thus if D\ and 
D 2 are elements of Jac(C) [r] , then 

e$(D 1 ,D 2 f = el x {2D u 2D 2 ) = ef{nfiD 1 ,n~p J D 2 ) 
= e x r E - E {~pD u pD 2 ) 

= e^iMD^J^D^-e^ifUD^JUD,)). 

In particular, pulling back two divisors on Jac(C') first to Jac(C) and then to Ex E, 
we see that the computation of the pairing on Jac(C') is in fact equivalent to the 
computation of twice the pairing on the elliptic curve E. 
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8. Curves with embedding degree 12 

The curves C : y 2 + y = x 5 + x 3 + b over F 2 ™ with b = 0, 1 were studied by 
van der Geer and van der Vlugt in [vdGvdV92] and [vdGvdV92b] , in view of their 
applications to coding theory. Throughout this section, the ground field is F 2 ™, 
where m = ±1 (mod 6). 

The characteristic polynomial of the Frobenius endomorphism n over F 2 ™ is 

p± ^j 1 ^ ^ 4 zb 2^ m ^^-'^T' 3 -|- 2 m T 2 zb 2^ 3nl ^^ ^ 2 T -\- 2 2m 

so Jac(C) is supersingular and simple over F 2 ™ . We have 
P+(T)P~(T) = T 8 — 2 2m T 4 + 2 4m 

and 

( T 8 _ 2 4™)( T 8 + 2 2m T 4 + 2 im )P+ (T)P~ (T) = T 24 - 2 12m , 

so the embedding degree is k = 12. 

Theorem 2.1 shows that a distortion map <j> exists for every pair (Di,£> 2 ) of 
points in Jac(C)[r]. We will now give a set of maps that contains a distortion map 
for any pair of divisors in Jac(C)(F 2 i2m)[r], by exhibiting a basis of End°(Jac(C)). 

The automorphisms of C are of the form 

cr w : (x, y) i — > (x + uj,y + s 2 x 2 + six + s ) 
where w is any root of the polynomial 
x 16 + x s + x 2 + X 

= (x 6 + x 5 + x 3 + x 2 + l)(x 3 + x 2 + l)(x 3 + x + l)(x 2 +x + l)(x + l)x, 

and where s 2 = + uu 4 + uo, s\ = uj 4 + lj 2 , and so is a root of y 2 + y = u 5 + uj 3 (note 
that sq + 1 is the other root). For each u, we arbitrarily fix one of the corresponding 
so, and denote the resulting automorphism a^. We interpret these automorphisms 
as elements of End(Jac(C)). One can verify that they satisfy the relations 

O^CT^' = ±<7 W '<7 W = ±a w+U! >. 

Fix a root r in F 2 e of x 6 + x b + x 3 + x 2 + 1 , and set £ = r 4 + r 2 , p = t 2 + r + 1 , 
and 8 = t 4 + t 2 + t. Note that £, p and 8 are roots of the cubic and quadratic 
factors above. We have 9 2 = 8 + 1, r 8 = r + 1, and 8 + t = £. As before, we 
let Z[7r, a T1 ag] denote the non-commutative ring generated by it and a T , and write 
Q[n, a T , ag] = Z[tt, a T , ag] ® Q for the algebra generated by n, a T and ag. 

Proposition 8.1. The Q-algebra Q[n, a T , ag] is a 16- dimensional Q-vector space 
with a direct sum decomposition 

Q[tt, a Tl ag] = Q(tt) 8 a T Q{ir) a e Q{ir) a s Q(n). 

Furthermore, End°(Jac(C)) = Q[tt, a Tl ag]. 

Proof. Let F = Q(n); note that F is a 4-dimensional Q-vector space. One easily 
checks that the relations 

ira u — ±cr w 2 m 7r, 
= "I. 

ir 3 a T ir 3 = ±<t t2 3 = ±cj r+1 = ±cr r (Ti, and 
7rcrg7r _1 = ±(Tg2 = ±<7g_|_i = ±a\ag 

hold, where cti is the automorphism (x,y) (a; + 1, y + x 2 ). 
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Let A := F © a T F; the sum is direct, because o> is not in F. We see that A is 
an 8-dimensional Q- vector space. Note that A is not an algebra. 

We now show that A © a^F is direct. Assume the contrary: that is, that there 
is some non-zero z in F such that o^z lies in A. Dividing by z, we must have 

Of = Z\ + <T T Z 2 

for some z\ and z 2 in F . Now, since £ £ F 2 3 we have Of = ir 3 <j£ir~ 3 . Using the 
relations above, we see 

Zi + C7 T Z 2 = 7T 3 <7f7r~ 3 

= 7T 3 (Z1 + <7 t Z 2 )tT~ 3 
= Z\ ± (T r2 3 Z 2 
= Z\ ± (T r CriZ2. 

Since ^4 is a direct sum and cri 7^ ±1, we have z 2 = 0: that is, ctj must lie in F, 
which is a contradiction since <7f does not commute with ir. 

Finally, we show that (A(Ba^F)(BagF is direct. Assuming the contrary, we have 

00 = z\ + a T z 2 + <J£Z3 

for some z\, z 2 and z 3 in F. Again using the relations above, we have 

= (Tiagir 3 ± 7T 3 ag 

= (T\{zi + <J T Z 2 + CTf Z 3 )n 3 ± 7T 3 (zi + O t Z 2 + (T£Z 3 ) 

= (Ti(zi + a T z 2 + (T£Z 3 )ir 3 ± (zi ± ct t2 3Z 2 ± cr ?2 3Z 3 )7r 3 

= (dl ± l)zi7T 3 ± ((Tl ± (Tl)a T Z 2 TT 3 ± (<Tl ± l)t7fZ 3 7r 3 . 

Since A©a{F is direct and cr 7^ ±1, we must have zi = z 3 = 0. Therefore, erg = a T z 
for some z in _F; but this is a contradiction, since erg is defined over F 2 2, while <r T 
is defined over F 2 e. We conclude that (^4 © a^F) © ogF is direct. 

Thus Q[n, a T , <rg] = F © a T F © a^F © agF, and is therefore a 16-dimensional 
Q-vector space. Since End°(Jac(C)) is 16-dimensional and contains Q(ir, cr T , erg), 
we have End°(Jac(C)) = Q[tt, ct t , cr e ]. □ 

Our claim that a distortion map for any pair of divisors may be chosen from the 
maps 7r, o>, and ag follows. Indeed, for any pair of points (Di,D 2 ) in Jac(C)[r], 
we may choose a distortion map as a Q-linear combination of the endomorphisms 
7T l , n^tTr, ir k ag and n l a^. If we assume that we may choose coefficients such that 
the least common multiple m of their denominators is coprime to r, then mcf) lies 
in Z[tt, a T ,crg], and is a suitable distortion map. 

9. Conclusions and future work 

We have given several examples of distortion maps for supersingular Jacobians 
of genus 2 curves with embedding degree 4, 5, 6 and 12. We have proven, subject 
to a reasonable assumption, that these maps are sufficient for all applications. 

One natural problem for future study is to show that the assumption holds for the 
curves considered in this paper. Another problem is to consider similar problems 
in the genus 3 case, although Rubin and Silverberg [RS02] have shown that there 
is little motivation for using high genus curves in pairing applications. 
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